An Efficient Authentication Scheme for Access ... - Semantic Scholar

4 downloads 108227 Views 446KB Size Report
over, since most traditional schemes use an RSA-based signature for identity .... Many applica- tions of pairing such as encryption, digital signature, and au-.
IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 11, NO. 5, AUGUST 2009

947

An Efficient Authentication Scheme for Access Control in Mobile Pay-TV Systems Hung-Min Sun and Muh-Chyi Leu

Abstract—In a mobile pay-TV system, a large number of messages are exchanged for mutual authentication purposes. In traditional authentication schemes, with one-to-one delivery, one authentication message per request is delivered from a head end system to subscribers. This results in the delivery of a large quantity of messages and therefore is inefficient and costly. Moreover, since most traditional schemes use an RSA-based signature for identity validation and nonrepudiation of communication, they suffer from high communication costs. Due to its wireless nature, mobile pay-TV is vulnerable to attacks during hand-off. As traditional schemes do not support hand-off authentication, they are insecure during hand-off. With these shortcomings, they are not suitable for mobile pay-TV. In this paper, we propose an innovative authentication scheme, in which, by providing one-to-many facility, only one authentication message for multiple requests is broadcasted from the head end system to subscribers. By employing bilinear property of pairing and elliptic curve cryptography, our scheme provides one-to-many facility in the case of multiple requests for the same service in a short period of time. This new scheme achieves better broadcast efficiency and performance on communication costs than traditional ones. Additionally, this scheme provides a hand-off authentication mechanism to protect the access of services while preventing attacks during hand-off; therefore, the scheme is more secure to support access control. Moreover, to provide anonymous authentication for protecting identity privacy, the scheme adopts an identity-based scheme while traditional schemes do not apply. The scheme inherits advantages of the identity-based scheme that a public key does not need to be certificated, the certification authority mechanism will not be needed and the key exchange overhead can be reduced. With these advantages of our scheme, it is well suited for mobile pay-TV system. Index Terms—Authentication, bilinear pairing, conditional access system (CAS), hand-off, mobile pay-TV.

I. INTRODUCTION

M

OBILE broadcast TV and related technologies have been developing actively in recent years [1], [7], [9], [10], [13], [23]. With the increased integration of pay-TV and wireless communication, multimedia pay service plays an important role in mobile broadcast TV services [10], [13]. Manuscript received May 29, 2008; revised March 09, 2009. First published May 29, 2009; current version published July 17, 2009. This work was supported in part by the Industrial Technology Research Institute (ITRI), Taiwan, R.O.C., under projects 6352B43000 and 6101QV1311 and in part by the National Science Council, Taiwan, under Contracts NSC 97-2221-E-007-055-MY3 and NSC 97-2745-P-001-001. The associate editor coordinating the review of this manuscript and approving it for publication was Dr. Wenjun (Kevin) Zeng. H.-M. Sun is with Department of Computer Science, National Tsing Hua University, Hsinchu 30013, Taiwan (e-mail: [email protected]). M.-C. Leu is with the Industrial Technology Research Institute, Hsinchu 31040, Taiwan (e-mail: [email protected]). Digital Object Identifier 10.1109/TMM.2009.2021790

Fig. 1. Typical model of CAS.

To guarantee a secure and convenient access of services by authorized subscribers while keeping unauthorized subscribers from illegal access, a secure access management mechanism is required [5], [10], [13]. This access management is provided by a conditional access system (CAS) [5], [6], [10], [13], [18], [19], [22], [31], [33]. A typical model of CAS [8], [18], [19] consists of two parts, a head end system and numerous receivers, and is comprised of several important components, as illustrated in Fig. 1, which includes: • Subscriber Authorization/Management System (SAS/ SMS): subsystems responsible for subscriber authorization and management; its works including key management, user authentication, entitlement messages delivery, subscriber information management and rights management • Encrypter : a component for enciphering Control Word (CW), keys, or sensitive information • Multiplexer (MUX ) : a component for multiplexing A/V, data or IP into MPEG-2 transport stream • Scrambler : a component for signal scrambling • Transmitter : a subsystem for signal transmission • Receiver : a subscriber device with a CAS module used for access control. In a pay-TV system with a CAS, a service must be scrambled before it is broadcasted. The subscriber’s access rights also must be protected. To provide a secure access management, a CAS usually uses entitlement management message and entitlement control message (EMM/ECM) to update and deliver the rights and control messages to subscriber devices. The scrambler is

1520-9210/$25.00 © 2009 IEEE Authorized licensed use limited to: Industrial Technology Research Institute. Downloaded on June 09,2010 at 07:58:40 UTC from IEEE Xplore. Restrictions apply.

948

controlled by a CW. In general, the rights messages mainly consist of CW, authorization keys and entitlements data. The content of EMM/ECM mainly includes the rights messages in an encrypted form. In a pay-TV scenario, before a subscriber can receive any service, he/she must register with the SAS/SMS of a head end system. After identity verification is performed during registration, the SAS/SMS issues a private key and secret information to this subscriber. When he/she decides to subscribe to certain services, the subscription interactions between SAS/SMS and the subscriber device are generally needed. Due to different models adopted in pay-TV systems, the CAS system generally operates in two modes: one is the broadcast mode, the other is the interactive mode. In the broadcast mode, the SAS/SMS cyclically broadcasts the rights messages through a multiplexer, a scrambler, and transmitters to subscriber devices; and the subscriber device repeatedly listens to receive the rights messages. The subscriber can use his private key, authorization key and entitlement data to obtain services. In the interactive mode, after registration validation, while a subscriber wants to subscribe to services, his subscriber device sends subscription messages via a return path such as GSM/3G to an SAS/SMS. After the identity validation and subscription confirmation, the SAS/SMS delivers the rights messages through a multiplexer, a scrambler, and transmitters to this subscriber device. The subscriber can use his private key, authorization key and entitlement data to obtain services. In a CAS, to guarantee the secure access by authorized subscribers, both user authentication [8], [17], [28] and key management [12], [22], [31], [33] are required. To ensure the access rights of subscribers, several secret keys needed for the authorization management should be frequently delivered to subscribers. However, it is possible that a mobile pay-TV system can be attacked by malicious attackers. The key management [5], [12], [22], [31], [33] is also needed for the management and distribution of the secret keys in a secure and efficient mechanism. In a user authentication, since numerous authorization keys or rights information are delivered to the subscribers, the user authentication mechanism [17], [28] also requires secure and efficient management supports from key management. In this paper, we focus on the user authentication scheme in mobile pay-TV systems. However, due to its wireless nature, mobile TV is vulnerable to attacks by malicious attackers. Any attacks such as malicious assaults on the system, forging the identity such as subscriber, device or system, or illegal access of unauthorized information, must be strictly prevented. When a mobile set moves to a coverage area of a new transmitter such that a hand-off occurs [23], the wireless communication is also vulnerable to attacks by malicious attackers. To protect legitimate access by authorized subscribers and to safeguard against these attacks, a security mechanism must be adopted. User authentication [5], [10], [13], [17], [28]–[30] is the security mechanism used to identify subscribers, to verify a legal identity such as subscriber, devices or systems, and to repel these attacks. In terrestrial TV, an attacker can easily use the same frequency to set up an illegal TV station which causes a legal TV station a grave operation problem by forging a TV station. An attacker can also easily and cheaply use the same frequency to forge an illegal TV station or transmitter to attack a legal TV station. On

IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 11, NO. 5, AUGUST 2009

the other hand, if a suitable security and authentication mechanism is not available, an impersonated subscriber can possibly steal or exploit a service [7], [10]. These security problems also exist in mobile pay-TV systems. Therefore, mutual authentication for mobile pay-TV systems becomes a necessary mechanism. Since the broadcasting bandwidth is a very precious resource, its efficient use to achieve better broadcast efficiency is an important issue in pay-TV systems including pay-TV, pay-perview (PPV) and near video-on-demand (near-VOD). However, in a pay-TV system, it is highly probable that many service requests for the same service arrive at a head end system in a short period of time or even simultaneously [2], [11], [32]. To achieve better broadcast efficiency, a pay-TV system usually implements service scheduling or program scheduling [2], [11], [32], e.g., a traditional CAS schedules entitlement messages for arriving requests [11]. With the large number of subscribers in a CAS, the broadcast efficiency for authentication [11], [13], [17], [28] is also an important issue. For an authentication mechanism of SAS/SMS, secrecy and privacy are also fundamental requirements. By applying a symmetric key cryptosystem or public key cryptosystem, authentication schemes usually encrypt authentication messages to provide secrecy protection. However, symmetric key cryptosystem suffers from its troublesome key distribution [29]. With increasing concerns on user privacy, anonymity [17], [28] is also an important issue. Anonymity is to protect the privacy of user information and his/her identification as well as to protect against the abuse of unauthorized users. With the progressive integration of pay-TV and wireless communication, a variety of services such as pay-TV, PPV, impulse pay-per-view (IPPV), near-VOD, multimedia services, online games, etc. are being provided to subscribers. The anonymous authentication of mobile broadcast TV becomes an important security issue. To realize anonymous authentication, an identity-based scheme is an attractive approach. Identity-based authentication applies identity-based cryptosystem to realize anonymous service. Identity-based cryptosystem was first proposed by Shamir [3], [27]. In an identity-based cryptosystem [3], [27], the public key can be derived from the public information of a user such as e-mail, telephone number, address, or name. The major advantages of an identity-based cryptosystem [3], [16], [27] are that a public key need not be certificated by a certification authority (CA) mechanism, the CA mechanism is not needed, and the key exchange overhead can be reduced in the communication interaction. In order to meet these requirements, cryptosystems must be chosen carefully. Elliptic curve cryptography (ECC) is more efficient on the same security level in terms of key length than integer factoring scheme such as RSA cryptography [4], [16], [20]. This means that the bandwidth and memory requirements for ECC are less than that for RSA-based cryptosystem [4], [16], [20]. With its advantages, pairing over elliptic curve [3], [14], [20] has attracted considerable interests. Many applications of pairing such as encryption, digital signature, and authenticated key agreement have been proposed and discussed [3], [15], [25]. With these advantages, our scheme employing

Authorized licensed use limited to: Industrial Technology Research Institute. Downloaded on June 09,2010 at 07:58:40 UTC from IEEE Xplore. Restrictions apply.

SUN AND LEU: EFFICIENT AUTHENTICATION SCHEME FOR ACCESS CONTROL

ECC and pairing will be able to perform efficient authentication for mobile pay-TV systems. In past years, several authentication schemes [17], [28] for pay-TV have been proposed. These schemes are one-to-one delivery in which one authentication message per request is delivered from a head end system to subscribers. These schemes therefore cause an inefficient broadcast. Additionally, as to the choice of cryptosystems, most of these schemes use RSA-based cryptosystems, which are inefficient and costly. In addition, they do not provide a hand-off mechanism and therefore are insecure in the hand-off case. With these shortcomings, these schemes are not suitable for mobile pay-TV. To provide a secure and efficient authentication mechanism for mobile pay-TV systems, we propose an efficient authentication scheme based on ECC. We consider the case in which many requests for the same service occur simultaneously or in a short period of time. In our scheme, by providing one-to-many facility, one authentication message for multiple requests is broadcasted from a head end system to subscribers. Our scheme employs ECC and pairing to manipulate authentication parameters and authorization keys for the multiple requests. Through the pairing operation and ECC, our scheme obtains a better broadcast efficiency of authentication messages and moreover achieves a better distribution efficiency of authorization keys. Furthermore, our scheme provides an additional mechanism on hand-off authentication which traditional schemes do not support. Additionally, our scheme is an identity-based authentication by pairing over ECC to provide anonymous authentication. Therefore, it also enjoys the advantages of an identity-based authentication. Moreover, our scheme also provides the features of user privacy protection and mutual authentication in the sense that a subscriber of a mobile pay-TV can anonymously verify whether the head end system is genuine. The rest of this paper is organized as follows: In Section II, we briefly review related works. In Section III, we briefly introduce elliptic curve cryptography and bilinear pairing. In Section IV, we propose an efficient mobile pay-TV authentication scheme employing ECC. Then discussions to analyze the security and performance are made in Section V. Finally, a conclusion is made in Section VI.

II. RELATED WORKS In past years, several authentication schemes for CAS have been proposed [5], [17], [28]. In 1992, a CAS standard was proposed by ITU for pay-TV [5]. In this recommendation, the authentication of access management only provides subscriber authentication. Before a subscriber can purchase any service, he must register by providing personal information to a CAS head end system. After careful verification is performed during registration, the head end system issues a private key and secret information stored on a Smartcard to this subscriber. The head end system needs to frequently update and broadcast CW and authorization keys corresponding to each channel to subscriber devices. Before a subscriber can obtain any service, he must insert his valid private key held on the Smartcard to his subscriber device and key-in his password for authentication. The

949

subscriber device which owns a valid private key can repeatedly listen to receive authorization keys. After the authentication through the password and private key validation, the subscriber device can obtain an authorization key by repeatedly listening. The subscriber then uses his private key and the authorization key to acquire services. In this scenario, the CAS only uses a password and private key to authenticate a subscriber, but does not provide any nonrepudiation [5], [17]. In order to improve the security of service access for pay-TV systems, several authentication schemes were proposed [17], [28]. In 2000, Lee et al. proposed an authentication scheme for pay-TV systems with privacy and nonrepudiation by employing a digital signature [17]. In Lee’s scheme [17], by applying public key cryptosystem, a subscriber first has to register his subscriber information with a signature to a provider. When a subscriber wants to subscribe to any programs, he uses his device to send a subscription message to the provider. The provider then sends a receipt with a signature for confirming this subscription to the subscriber. For subscribers to access services, the provider frequently and iteratively updates and broadcast all authorization keys to subscribers. However, Lee’s scheme [17] only protects the customers’ privacy, but not the provider’s. In order to improve Lee’s scheme, in 2003, Song and Korba proposed an “e-ticket” scheme for the authentication of pay-TV system [28]. The e-ticket scheme achieves a stronger privacy and nonrepudiation protection than Lee’s scheme for pay-TV system. The scheme employed an encrypted authentication message with a blind signature based on RSA public key cryptosystem to do the mutual-authentication [28]. In the e-ticket method [28], a subscriber first uses his device to send a request message with anonymous subscriber information to buy an e-ticket from a provider [28]. The provider blindly signs an anonymous e-ticket for the subscriber request and sends the anonymous e-ticket to this subscriber. When a subscriber wants to subscribe to some channels, he has to send the e-ticket to the provider for his subscription. The provider then broadcasts all encrypted authorization keys in a concatenated manner to subscribers. By applying the blind and anonymous signature, the e-ticket scheme [28] protects the privacy for both customers and service provider, and provides a stronger privacy and nonrepudiation than Lee’s. The existing authentication schemes are inefficient and not suitable for mobile pay-TV systems. The existing schemes [17], [28] are one-to-one mechanisms without considering the case in which many requests for the same service occur simultaneously or in a short period of time. Additionally, for the authorization key distribution, since both Lee’s and Song’s methods [17], [28] do not make a compactness manipulation before broadcasting authorization keys, the provider needs to broadcast all authorization keys in an iterative or concatenated manner to subscribers frequently. These approaches of authentication schemes are very inefficient and costly, and cause a heavy burden on broadcast bandwidth utilization. Moreover, due to its wireless nature, in hand-off, it is vulnerable to attacks from intruders. The existing schemes [5], [17], [19], [28] do not support hand-off authentication for hand-off case. In cryptosystem application, traditional schemes [17], [19], [28] such as Song’s, which use RSA-based cryptosystem for identity

Authorized licensed use limited to: Industrial Technology Research Institute. Downloaded on June 09,2010 at 07:58:40 UTC from IEEE Xplore. Restrictions apply.

950

IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 11, NO. 5, AUGUST 2009

validation and nonrepudiation, suffer from high communication cost. Both Lee’s and Song’s schemes [17], [28] are not identity-based authentication [3], [16], and therefore their schemes do not have the corresponding advantages. In addition, Song’s scheme [28] applies symmetric key cryptosystem [29] to protect privacy, thus their scheme also suffers from a troublesome key distribution. With these shortcomings, their schemes are not suitable for mobile pay-TV systems. Thus, in this paper, an efficient authentication scheme based on ECC is proposed for mobile pay-TV systems to overcome these issues. Furthermore, we provide additional advantageous features which traditional schemes do not support. III. PRELIMINARIES A. ECC Cryptography Elliptic curves for cryptography in mathematics are defined over finite algebraic structures such as finite fields. For the convenience of description, we confine the elliptic curve over with characteristic . The elliptic curve over can be , where simplified as the following form: ( ) satisfying . The points on form a group including the point at infinity denoted by . On for a point on . Elthe group definition, liptic curve groups are additive groups. Let two distinct points and a line drawn through the two points. of and The line intersects the elliptic curve in the third point, and . If the line is tangent to a curve, then . for any integer as point multiGenerally we define plication. It is very hard to find an integer such that for the given point on . This is called the elliptic curve discrete logarithm problem (ECDLP). Let be an elliptic curve over finite field , there exists an isomorphism between a set of certain points on to a subgroup of a finite field extension of . We denote the number of points in over as . , and the characLet be a prime number such that are relative prime to teristic of the finite field extension of sateach other. has points of order , i.e., the points isfying , . We call the as a generator of the with . Several schemes for crypsubgroup of over tography using elliptic curve have been proposed [20]. The security of these methods is mainly based on ECDLP [21], [24]. As the identity-based cryptography is widely explored, bilinear pairing is a nice scheme to realize the identity-based cryptography. Bilinear pairing [20] is mapping a subgroup of points on elliptic curve to a subgroup of elements in a finite field. More detailed descriptions of ECC theorem can be found in the books related to elliptic curve cryptography [20], [29], [30] or prior papers [4], [21]. B. Bilinear Pairing In this section, we briefly introduce the definition and properties of bilinear pairing necessary for our scheme. More detailed research of pairing can be found in books related to pairing [20] and prior papers [3], [21]. Let be cyclic additive group generbe a multiplicative group ated by , whose order is a prime , with same order . We assume the discrete logarithm problem (DLP) in both and are hard. Typically, is a subgroup

is a subgroup of the mulof group of points on elliptic curve, tiplicative group of a finite field. Let be the bilinear map, i.e., . A bilinear linear map, , satisfies the following conditions: , Bilinear: , and , and . for all nondegeneracy: There exists a , such that . Computability: There is an efficient algorithm to compute in polynomial time. Bilinear pairing has been realized on certain elliptic curve. Modified Weil pairing and Tate pairing well realized the bilinear pairing on supersingular elliptic curves [20], [25]. Security of bilinear pairing is based on certain hard problems such as discrete logarithm problem (DLP) [20], [24]. Cryptanalysis to DLP is analog to challenge NP-complete problem. The algorithm which can solve DLP in polynomial time does not exist. Formal descriptions are defined as follows: . It is • Discrete logarithm problem: Given and . hard to find an integer such that IV. EFFICIENT AUTHENTICATION SCHEME FOR ACCESS CONTROL IN MOBILE PAY-TV SYSTEMS In this section, we propose an efficient authentication scheme for access control in mobile pay-TV systems. In this scheme, we employ ECC and pairing to achieve the efficient authentication for mobile pay-TV. By ECC and pairing, this scheme achieves one-to-many facility with efficient broadcasting advantages. We also apply an identity-based scheme to achieve an anonymous authentication. In addition, we propose an additional hand-off authentication protocol which traditional schemes do not support. Our proposed protocol is described as follows. A. System Description A mobile pay-TV system consists of two important parts, head end system (HS for short) including transmitters and mobile sets (MSs for short). HS is a system with powerful processors for processing audio/video or multimedia services. The HS has SAS/SMS management systems including databases. The SAS/SMS management systems are responsible for authentication and key management, payment management, and subscriber information management. A transmitter is a station carrying radio signal and transmitting the signal to mobile sets of users. A mobile set is a user device acquiring a service. In addition, mobile broadcast TV system [1] utilizes 3G/UMTS (Universal Mobile Telecommunications System) or GSM as a return channel connecting to the HS for interactive service. In this paper, we propose an authentication scheme for mobile pay-TV system. When a user wants to buy mobile pay-TV services, he first has to register his privacy information including identification information such as personal identification number or e-mail, to an HS. If a user wants to acquire a service at any time, his mobile set has to send a message consisting of authentication and service request to the HS for user authentication. Once the HS authenticates the mobile set as a legal one, it broadcasts authentication information to every mobile set for HS authentication. When the mobile set verifies that the HS is a legal unit,

Authorized licensed use limited to: Industrial Technology Research Institute. Downloaded on June 09,2010 at 07:58:40 UTC from IEEE Xplore. Restrictions apply.

SUN AND LEU: EFFICIENT AUTHENTICATION SCHEME FOR ACCESS CONTROL

the mobile set can obtain service rights. After that, if the user of the mobile set wants to subscribe to a service, his mobile set performs a subscription phase protocol to obtain a service. When a mobile set moves to a coverage area of a new transmitter, known as hand-off, the mobile set has to perform a re-authentication. In order to provide efficient processing, we assume the authentication mechanism of an HS equipped with a service scheduler needs to perform scheduling for arriving authentication request messages. In any short period of time, it is possible that many requests arrive at the HS, of which many requests are for the same service. Let us assume that subscriber requests for the same service named as arrive at the HS for their authentication in a short period of time, and that an authenticain the short period of time tion process for the same service is called as one authentication process. For the convenience of discussions, the efficient authentication processes of HS are all based on one authentication process. The proposed protocol consists of four parts. The first part is the initialization phase for setting up parameters and key initialization. The second one is the issue phase protocol for service set-up; the third one is for subscription; and the fourth one is for hand-off. In this protocol, ECC and pairing are employed to raise the broadcast efficiency of mutual authentication. By applying ECC and pairing, an anonymity feature is also provided. For the convenience of discussion, we first define a set of notations as follows: : the th mobile set; 1) 2) : the identity string of HS; : the identity string of the th user; 3) : public key of HS; 4) : public key of ; 5) 6) : private key of ; : the secret key for ; 7) : authentication public key of HS; 8) : authentication public key of ; 9) 10) SK : the share secret between HS and ; ; 11) : a secret key generated by : a secret key generated by HS; 12) : a service identity number; 13) 14) : one way hash function mapping ; : one way hash function mapping ; 15) 16) // : comment notation used in our algorithm. B. Initialization Phase In this protocol, HS is responsible for generating public and secret key information of all entities. For constructing a secure communication system, several parameters have to be generated by HS. In the initialization phase, HS will perform the following executions: • Select an elliptic curve with order , a base point . Make , point and known to the public. of HS by • Compute the public key using identity of HS. by using • Compute the public key of identity of the th user. to . • Encode , and compute the authentication • Choose a secret for HS. public key

951

, and compute the authentication • Choose a secret for . public key for . • Compute the private key • Compute the secret key for . , and initialize a secret service • Choose a secret for HS by . control parameter to . • Encode C. Issue Phase Before a mobile user can obtain a service , his mobile set issues a service set-up request to launch a mutual authentication. For convenience, we call our efficient issue protocol based on ECC as E-IP for short. The following protocol performs an issue phase protocol as illustrated in Fig. 2. Assume that the th HS authentication process of issue phases is performed for the discussion. chooses a secret , and computes authenStep 1) , and by tication parameters, , , , ,

With employing ECC encryption, it also preserves the privacy of subscriber’s identity. sends a message to Step 2) HS for the service set-up of a service . Step 3) HS receives the message . Upon reception of the request messages, HS deof the requests by computing crypts each and maps to . Afterward, HS schedules the arriving requests and identifies the arriving requests for the same service in a short period of time or simultaneously. Step 4) HS performs authentication works in one authentication process in the short period of time as follows. . HS performs authentication works for each request of arrived requests for the same service . In the authentication algorithm at HS, the loop procedure for processing the arrived requests is denoted as “while {do the authentication for each user request}”. For each request, HS performs the following works in the loop procedure. HS first by computing • Decrypts • Maps to and authenticates • Computes SK by and authentiby checking the following equacates tion:

Authorized licensed use limited to: Industrial Technology Research Institute. Downloaded on June 09,2010 at 07:58:40 UTC from IEEE Xplore. Restrictions apply.

952

IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 11, NO. 5, AUGUST 2009

If the equation holds, HS accepts the as a legal unit and deducts the fee from the account of the th user; otherwise, rejects the service set up request. • HS manipulates authentication parameters and into and by computing the following operations on elliptic curve by

If the equation holds, HS is accepted as a legal hangs up. system; otherwise, Through the iterative point additions of authentication parameters and pairing operation in authenticacan compute its individual tion process of HS, computes the th certification token . The token by

This computation is correct because

The iterative point additions in the loop procedure are the preparations providing for the authentication at mobile sets. The iterative additions raise a better broadcasting efficiency with one-to-many facility. At the end of the while loop procedure, the and grouped parameters for the requests for the same service in the short period of time are obtained. . HS then constructs the authentication mes. At the end of the while loop sage procedure, HS computes a purchase identity of the th authentication process and a certification token by

HS maps the requested service to a purby computing an one-way chase identity . The hash function system certificates a token by computing for the users who . HS then saves request the same service of the requests for parameters , and the subscribers. The parameters are provided for the authentications of subscription phase and the hand-off phase. In an authentication is corresponded to the same process, one purchase identity for each . By employing pairing and ECC, it needs only one authenticafor all the users tion message who requested the service . Step 5) HS broadcasts the message to mobile . sets including receives the message . Step 6) Step 7) computes SK by and authenticates HS by checking the following equation:

then

So . Step 8) HS chooses a new secret , and computes a new by for the next authentication process. Is a Legal Unit, Then HS 1) In E-IP, If a Mobile Set Can Authenticate the : chooses a secret to build a Proof: In E-IP, message, and sends it to HS. message, HS After receiving the first authenticates the by checking . HS then verifies holds, such the equation . The equation is correct that HS can authenticate the because

where is the share and HS. secret between the Is an Illegal Unit, Then HS 2) In E-IP, If a Mobile Set Rejects the : cannot decrypt Proof: Based on ECDLP, the and cannot pass the identity checking. Furthermore, based on ECDLP, without the knowledge of the secret and private key

Authorized licensed use limited to: Industrial Technology Research Institute. Downloaded on June 09,2010 at 07:58:40 UTC from IEEE Xplore. Restrictions apply.

SUN AND LEU: EFFICIENT AUTHENTICATION SCHEME FOR ACCESS CONTROL

953

Can Authenticate 3) In E-IP, If HS Is a Legal Unit, Then the HS: and by sumProof: In step 4 of E-IP, HS builds ming over and , and broadcasts a message message, verto MSs. After receiving the hold, such that ifies the equation can authenticate HS. The equation is correct because

where 4) In E-IP, If HS’ Is an Illegal Unit, Then Rejects the HS’: Proof: Based on ECDLP, without the knowledge of mesthe secret , HS’ cannot forge a valid sage. Assume that HS’ forges parameters and by and . However

Fig. 2. Issue phase protocol.

, cannot forge a valid message. Assume that forges the authentication parameters by , , , , , and . As does not know must create for rethe valid and private key , the placing . However,

Since , legal

cannot solve ECDLP to compromise the secret . Therefore, HS rejects the ilby verifying the equation .

Since HS’ cannot solve ECDLP to compromise the seand HS’ does not know the secret key , then cret . Therefore, rejects HS’ by the equation . 5) E-IP Can Provide Anonymous Service: builds a Proof: In E-IP, message, and sends it to HS. The identity is protected by a hash function and ECC. To crack the protected identity, the adversary will face the difficulty of hash function security of the th user is hashed by and ECDLP. As the identity , based on hash function security, it is difficult to crack identity . Moreover, is an encrypted parameter with a secret . is an encrypted parameter as as with a secret . encoded from is encrypted to as by ECC. In the message, there are no information . exposed about identity

Authorized licensed use limited to: Industrial Technology Research Institute. Downloaded on June 09,2010 at 07:58:40 UTC from IEEE Xplore. Restrictions apply.

954

IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 11, NO. 5, AUGUST 2009

On the other hand, HS constructs and broadis hashed by , and is an casts it to MSs. with secret . Hence, encrypted parameter as is an encrypted parameter as , is pro, and is computed from pairing tected by . The message also has no . Hence, E-IP provides information exposed about identity anonymous service. D. Subscription Phase After legality verifications are completed at the issue phase, can use the certificated token to subscribe some services. wants to subscribe to a service , his When the user of has to perform the efficient subscription phase protocol (E-SP for short) illustrated in Fig. 3 as follows: chooses a new secret , computes new Step 1) , and by

Step 2)

sends a message to HS for a service subscription. . Upon the Step 3) HS receives the message reception of the subscription messages, HS schedules the subscription messages for efficient service. Afterward, HS identifies the arriving requests in a short period of time. Step 4) HS performs re-authentication in one authentication process for the requests that have arrived in a short and are period of time. Since parameters built in the issue phase, HS has to restore , , . The HS and for providing a legality check of by checking whether the equation authenticates holds or not. After that, it verifies the is a legal token for each request by checking the equation holds. If the equations hold, it indicates the user has acquired the service rights. In the loop procedure, HS manipulates authenticaand into and , and tion parameters , by commanipulates purchase identity into puting the following operations on elliptic curve by

HS then certificates a group authorization key by computing for the requests. to moStep 5) HS broadcasts the message bile sets including .

Fig. 3. Subscription phase protocol.

Step 6) Step 7)

receives the message . re-authenticates HS by checking equation . If the equation holds, the HS is re-authenticated as a legal system. Through the iterative operations of authorization parameters in the authentication process of HS, computes its individual authorization key . derives the th authorization key by computing . then uses the authorization key and its private key to get services. In the same manner as the anonymous authentication proving of E-IP above, E-SP also can be proven to achieve anonymous and mutual authentication. Without the knowledge of the secret , an adversary cannot forge a valid message. Upon reception of the message, HS by checking whether the equation can re-authenticate holds or not. From HS to MSs, without the knowledge of the secret , the advermessage. sary cannot forge a valid can re-authenticate the HS by checking whether the equation holds or not. As to the anonymity, of user is hashed by , because the identity is secured by pairing, and parameters , , and are encrypted by ECC, there is no information exposed for identity . In the opposite direction, since is constructed by

Authorized licensed use limited to: Industrial Technology Research Institute. Downloaded on June 09,2010 at 07:58:40 UTC from IEEE Xplore. Restrictions apply.

SUN AND LEU: EFFICIENT AUTHENTICATION SCHEME FOR ACCESS CONTROL

955

manipulating which encrypted by ECC, is constructed by applying , and is by manipulating secured by a hash function, there is no information exposed for . E-SP also provides an anonymous service. identity E. Hand-Off Phase moves to a coverage area of a new transmitter When has to perform re-authensuch that a hand-off occurs, the tication protocol while a user is acquiring online services. It is possible for a forged transmitter or a TV station to impersonate a genuine transmitter or TV station when a hand-off occurs. In the scheme, the efficient hand-off protocol illustrated in Fig. 4 (E-HAP for short) is proposed to do re-authentication when a hand-off occurs. Step 1) chooses a new secret , computes new , , and by

Step 2)

sends a message to HS for re-authentication. . Upon Step 3) HS receives the message the reception of the hand-off re-authentication messages, HS schedules the request messages for efficient service. Afterward, HS identifies the arriving requests in a short period of time. Step 4) HS performs re-authentication in one authentication requests arrived in a short peprocess for the , , and riod of time. At first, it restores for providing a legality check of . It performs re-authentication for by checking the equation and verifies the is a legal token for each request by checking the holds. If the equations equation holds, HS accepts the as a legal unit; otherwise, is a it rejects the re-authentication request. If legal unit, HS then manipulates authentication paand into and . rameters Step 5) HS broadcasts the message to the mo. bile sets including receives the message . Step 6) re-authenticates HS by checking the equation Step 7) . If the equation holds, the HS is accepted as a legal system. In the same manner as the anonymous authentication proving of E-IP above, we can prove the correctness of E-HAP. Based on ECDLP, without the knowledge of the secret , an adversary message. After receiving cannot forge a valid by checking the equathe message, HS can re-authenticate . In the opposite dition rection, without the knowledge of the secret , the adversary message. can re-authencannot forge a valid ticate the HS by checking whether the equation holds or not. E-HAP also performs a mutual-authentication between HS and . As to the anonymity, in the

Fig. 4. Hand-off phase protocol.

and messages, by ECC and hash . protection, there is no information exposed about identity It therefore provides an anonymous feature for hand-off. V. DISCUSSIONS A. Security Analysis To provide a secure authentication protocol, resistance to attacks is an important criterion. In this section, we demonstrate the resistance to the forgery attack, man-in-the-middle attack, and replay attack about E-IP, E-SP, and E-HAP. 1) Resisting Forgery Attack: For an attacker to pass the authentication, he must forge valid authentication messages to satisfy authentication equations and to pass identity checking. In the E-IP case, if an attacker wants to masto pass the authentication, he must forge a valid querade message to satisfy the authentication equation and to pass , identity checking. In the opposite direction, from HS to to satisfy the equation he must forge a valid . However, without the knowledge of the secret of both HS and , an attacker cannot forge a valid message. We show the resisting forgery attack by analyzing the forgery difficulty and compromise complexity. such that Assume that for an integer over elliptic curve , where is the order of , and the bit length , and that , the number of of is group elements: . In the ECC cryptosystem, the best known ECDLP comwith an exponential plexity [20], [24] is approximately

Authorized licensed use limited to: Industrial Technology Research Institute. Downloaded on June 09,2010 at 07:58:40 UTC from IEEE Xplore. Restrictions apply.

956

complexity. It means that the compromise complexity is apfor compromising by . proximately Firstly, we show E-IP case as follows. : An attacker creates Forgery Difficulty: and forges the authentication parameters by , , , , , . He then sends the forged parameters and to HS. As he does not know the valid and private key , the for replacing . HS checks whether attacker must create holds or not. the equation However

The probability of in

which results is approximately , where is the mathematic combination operation. This is a very low probability. It means that it will be very hard for an attacker to forge valid parameters to satisfy and pass the authentication. : In the same manner, an attacker creates and forges parameters and by and . He then broadcasts the forged . checks the equation parameters to MSs including either holds or not. However

Since

is the secret key of and computes SK by , the probability of which results in is also approximately . It means that it is also very hard for an attacker to forge valid parameters to satisfy and pass the authentication. Compromise Complexity: Based on the ECDLP comby the plexity, if the adversary wants to compromise , , , equations , or , he faces a compromise complexity . It means that with the exponential compromise complexity, it is very hard to compromise . In the opposite direction, if an attacker wants to compromise by for forging valid and , he also faces a problem with an expo. nential compromise complexity As the case of E-IP, both E-SP and E-HAP can also be to HS, proven to be resistant to forgery attack. From the probability of

IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 11, NO. 5, AUGUST 2009

with a forgery is approximately . From HS to , the probability of with a . The probability of forgery is also approximately is also approximately . or HS, he also As to the compromise of the secret of either . With the exponential faces a compromise complexity of compromise complexity, it is also very hard to compromise the or HS to forge authentication parameters. secrets of either 2) Resisting Man-in-the-Middle Attack: E-IP resists man-inthe-middle attack because an attacker has no participant secrets to forge valid authentication messages, and both HS and share secret SK. As E-IP resists forgery attack, and an attacker , E-IP does not have the share secret SK of both HS and resists man-in-the-middle attack. Without the knowledge of the , it is very hard for him to forge valid secret of both HS and authentication messages and the share secret SK between HS . We first show E-IP resisting man-in-the-middle attack and as follows. For convenience, we denote the man-in-the-middle attacker as MITM. : MITM Impersonates : After remessage, MITM creates ceiving the message and sends to HS:

The probability of with is approximately forging message . It means that with a very low probability of the equation holds, HS can check if MITM is an illegal unit. : MITM Impersonates HS: After receiving message, MITM creates and the : broadcasts to MSs including

The probability of with forging message is approximately . It means can that with a very low probability of the equation hold, check if MITM is not a legal unit. As in the case of E-IP, both E-SP and E-HAP can also be proven to be resistant to man-in-the-middle attacks. From to HS, the probability of with MITM forging authentication parameters is also ap. From HS to , the probability proximately of with MITM forging authen. The tication parameters is also approximately is also approxiprobability of . mately 3) Resisting Replay Attack: To resist replay attacks, an easy solution is to embed a timestamp into the authentication message. However, time synchronization for the timestamp method is needed. In our scheme, because the is randomly chosen by a mobile set in each authentication, the parameters such as , , , , and are randomly changed. On the other hand, a , , different authentication process constructs different , , , and . In addition, the is randomly chosen by HS in each authentication process, and the parameter

Authorized licensed use limited to: Industrial Technology Research Institute. Downloaded on June 09,2010 at 07:58:40 UTC from IEEE Xplore. Restrictions apply.

SUN AND LEU: EFFICIENT AUTHENTICATION SCHEME FOR ACCESS CONTROL

as is also randomly changed in each authentication process. This considerably reduces the possibility of replay attack.

957

TABLE I COMPARISON OF COMMUNICATION COST (BIT)

B. Performance Analysis and Comparison In this section, we analyze the performance and compare our scheme with Lee’s [17] and Song’s schemes [28]. As mentioned in the preceding description, Song’s scheme is based on RSA cryptosystem, and our scheme is based on ECC and pairing. For this analysis, we assume that Lee’s scheme is based on RSA cryptosystem. Compared to RSA, the key length for ECC is significantly shorter assuming the same security level. This means that bandwidth and memory requirements for ECC [20] are also less than that for a RSA-based cryptosystem. RSA-based cryptosystems need more complicated gate counts on a processor than ECC [20]. This means that a Smartcard system implementation using the RSA-based cryptosystems costs more than those applying ECC [20]. This analysis illustrates that our scheme has a better performance than both Lee’s and Song’s. In particular, our scheme has a better performance on the communication cost with consideration for the issue of many requests for the same service occurring simultaneously or in the short period of time. In this analysis, for the convenience of comparison, we assume that the one authentication process, for the issue phase, subscription phase, or hand-off phase, will have requests arrive from mobile sets in a short period of time or simultaneously. 1) Communication Cost Comparison: Firstly, we analyze the communication cost and compare our scheme with both Lee’s [17] and Song’s schemes [28]. We analyze the communication cost of the related protocols based on the following assumptions and facts. Assume the identity and timestamp are all 32-bit length; the large prime in modular operation is 1024-bit length; and a point on ECC is 320-bit length since 160-bit ECC is equivalent in the same security to 1024-bit RSA [4], [16]. In 1999, Caelli et al. published valuable research results about security and efficiency of ECC for public key infrastructure (PKI) schemes [4]. In Caelli’s research results for PKI schemes, for a 100-bit plaintext message, the size of the encrypted is 1024-bit length by RSA and 321-bit length by ECC [4]. We analyze the communication cost by applying Caelli’s research results for PKI schemes. In both Lee’s and Song’s schemes [28], they are a one-to-one scheme without considering the case of many requests for the same service occurring simultaneously or in a short period of time. Our scheme is a one-to-many scheme with the consideration of such cases. In Table I, we compare our scheme with both Lee’s and Song’s under requests for the same service occurring in a short period of time. In Table I, our scheme has a better performance on communication cost. Our scheme achieves a better broadcast efficiency for authentication messages broadcast. In the issue phase, our scheme needs only 1.92 K bits for the authentication message to issue a service request for authentication. However, as very few features are provided in their schemes, Song’s still needs 3.8 K bits and Lee’s needs 1 K bits. In the broadcast direction, our scheme needs only 0.96 K bits for the authentication broadcasting message, but Song’s scheme would need 2.78 K bits for delivery. As Lee’s does not support mutual authentication in issue phase, no message is broadcasted from HS to MSs. In subscription phase, our scheme needs

only 1.28 K bits subscription message, but Song’s needs 4.82 K bits message to make a subscription and Lee’s needs 1.7 K. In the broadcast direction, our scheme needs only 0.96 K bits size of message, but Song’s scheme needs 3.77 K bits and Lee’s needs 11.5 K including the authorization key. In the case of the requests arrived simultaneously or in a short period of time, our scheme needs only one message to be broadcasted in one authentication process of the head end. However, both Lee’s and Song’s schemes need to deliver authensubscriber sets under the requests. tication messages to This illustrates that our scheme provides a very efficient message broadcast from head end system to mobile sets. As illustrated in the preceding description, our scheme provides an additional mechanism for hand-off authentication. In the hand-off case, our scheme still achieves the efficient broadcast in that it needs only one broadcast message of 0.64 K bits size assuming requests occurring simultaneously or in a short period of time. 2) Computation Cost Comparison: For the convenience of illustrations, we analyze the computation cost in terms of the following notations: represents a pairing operation and represents point multiplication in . Besides, represents modular exponentiation. In this comparison, we compare the major computations. In pairing over ECC, pairing operation and point multiplication are time consuming. In RSA-based cryptography, modular exponentiation is time consuming. Compared to pairing operation, the computation burden of muland addition in can be ignored. Similarly, tiplication in compared to modular exponentiation, the computation burden of modular multiplication and modular addition can be ignored. We evaluate the computation cost by separating mobile set and HS so that we can investigate the computation cost in mobile set and HS more precisely. The results as illustrated in Table II are evaluated under the arrived requests in one authentication assumption of the process. In the issue phase, at the mobile set, our proposed scheme requires three pairing operations and nine multiplica. At the head end system side, it needs pairing tions in point multiplications in . However, operations and Song’s scheme needs six modular exponentiations at mobile modular exponentiations at head end system. set, and Lee’s scheme needs one modular exponentiation at mobile modular exponentiations at head end system. In set, and operations the subscription phase, Song’s scheme needs and Lee’s needs operations, our scheme needs only

Authorized licensed use limited to: Industrial Technology Research Institute. Downloaded on June 09,2010 at 07:58:40 UTC from IEEE Xplore. Restrictions apply.

958

IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 11, NO. 5, AUGUST 2009

TABLE II COMPARISON OF COMPUTATION COST

TABLE III COMPARISON OF COMPUTATION TIME IN MOBILE SET (SECONDS)

operations at the mobile set. At head end system, , Lee’s Song’s scheme needs the computation cost of needs , but our scheme needs only the computation cost . of In the case of hand-off, our scheme requires the computation operations at the mobile set, and cost of operations at head end system. Researches on the computation efficiency of pairing techniques are still ongoing. Different efficient pairing algorithms as well as implementation approaches have been proposed. In their 2005 implementation of pairings on Smartcard [26], Scott et al. pointed out that computation performance of pairing is about the same as that of RSA decryption. The point over multiplication is faster than RSA decryption [26]. Using Scott’s implementation results and Table II estimations, we compare our scheme to both Lee’s and Song’s in regard to the computation time on Smartcard processor in mobile set. Due to the limited resources available in a mobile set, low-end processors are considered. The computation efficiency of an authentication scheme is determined by the cryptosystem operations as well as the features and functions provided. Compared to both Lee’s and Song’s schemes, our scheme has the following additional advantageous features: 1) one-to-many facility, 2) identity-based authentication, and 3) hand-off authentication, which both Lee’s and Song’s do not support. This results in only a slight increase in computation time as shown in Table III. 3) Functionality Comparison: To provide a better authentication for mobile pay-TV systems, many features and functions are required. As illustrated in Table IV, since our scheme provides advantageous features and functions, it is well suitable for

TABLE IV COMPARISON OF FUNCTIONALITY

mobile pay-TV. In Table IV, we compare our scheme with traditional schemes such as Song’s in regard to the features and functions required for mobile pay-TV systems. In summary, most traditional schemes such as Song’s are based on RSA cryptosystem, while our scheme is based on pairing over ECC. Our scheme inherits the merits of ECC with small key size and high security. As our scheme provides one-to-many facility while traditional schemes are one-to-one method, as illustrated in Table IV, our scheme achieves a very low communication cost. In addition, our scheme is an identity-based authentication and obtains the advantages of identity-based cryptosystem. Moreover, our scheme provides an additional mechanism for hand-off authentication which traditional schemes such as Song’s and Lee’s do not support. This additional hand-off authentication protects the service access while preventing attacks in the hand-off case. As the illustrations of Table IV, with the additional function for hand-off authentication, better broadcast efficiency, performance, and functions, our scheme is well suited for mobile pay-TV. VI. CONCLUSIONS In this paper, we propose an efficient authentication scheme for access control in mobile pay-TV systems. Our scheme not only performs better than existing ones, it also provides an additional mechanism for hand-off authentication for mobile pay-TV. Our additional hand-off authentication secures the service access while protecting against attacks in the hand-off case. By ECC and pairing, it achieves the features of anonymity and mutual authentication. It also achieves advantages of broadcast efficiency with one-to-many facility. By manipulating authentication parameters and pairing operation at head end system, mobile sets still can perform authentication and individually compute the certification token and authorization key . In addition, the proposed scheme inherits the merits of ECC with small key size and high security. Additionally, in the scheme, identity-based scheme, which has the advantages that a public key need not be certificated and the key exchange overhead can be reduced, is also adopted to provide anonymous authentication for protecting identity privacy. From our security analysis and performance analysis results, the proposed scheme is a secure and efficient authentication scheme for mobile pay-TV systems. By employing pairing and ECC, the scheme can resist forgery attacks and man-in-the-middle attacks, and reduce the possibility of replay attacks. With the gradual integration of heterogeneous networks, several digital rights management (DRM) standards such as DVB service purchase and protection (DVB-SPP) have also been actively developing [1], [13]. In the future, more efficient pairing technologies as primitives of

Authorized licensed use limited to: Industrial Technology Research Institute. Downloaded on June 09,2010 at 07:58:40 UTC from IEEE Xplore. Restrictions apply.

SUN AND LEU: EFFICIENT AUTHENTICATION SCHEME FOR ACCESS CONTROL

authentications or DRM applications can be further researched. More researches on applying ECC to the security of mobile broadcast TV are still worth exploring. ACKNOWLEDGMENT The authors would like to thank the reviewers for their valuable comments and suggestions which certainly led to improvement of this paper. REFERENCES [1] F. Allamandri et al., “Service platform for converged interactive broadband broadcast and cellular wireless,” IEEE Trans. Broadcast., vol. 53, no. 1, pt. 2, pp. 200–211, Mar. 2007. [2] K. C. Almeroth and M. H. Ammar, “An alternative paradigm for scalable on-demand applications: Evaluating and deploying the interactive multimedia jukebox,” IEEE Trans. Knowl. Data Eng., vol. 11, no. 4, pp. 658–672, Jul.-Aug. 1999. [3] D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” in Proc. Advances in Cryptology-CRYPTO, 2001, pp. 213–239. [4] W. J. Caelli, E. P. Dawson, and S. A. Rea, “PKI, elliptic curve cryptography, and digital signatures,” Comput. Secur., vol. 18, no. 1, pp. 47–66, 1999. [5] Conditional-Access Broadcasting System, 1992, ITU-R Rec. 810. [6] F. Coutrot and V. Michon, “A single conditional access system for satellite-cable and terrestrial TV,” IEEE Trans. Consum. Electron., vol. 35, no. 3, pp. 464–468, Aug. 1989. [7] DVB Documents, 2003, DVB Technical Report:DVB-H185r3. [8] EBU Technical Review, A Functional Model of a Conditional Access System[EB/OL], 1995, [Online]. Available: http:/ /www.ebu.ch/trev266-ca.pdf, [9] G. Faria, J. A. Henriksson, E. Stare, and P. Talmola, “DVB-H: Digital broadcast services to handheld devices,” Proc. IEEE, vol. 94, no. 1, pp. 194–209, Jan. 2006. [10] E. Gallery and A. Tomlinson, “Conditional access in mobile systems: Securing the application,” in Proc. 1st Int. Conf. Distributed Frameworks for Multimedia Applications (DFMA’05), Feb. 2005, pp. 190–197. [11] Head-End Implementation of DVB Simulcrypt, ETSI Standard, ETSI TS 103 197 V1.4.1, 2004. [12] Y. L. Huang, S. Shieh, F. S. Ho, and J. C. Wang, “Efficient key distribution schemes for secure media delivery in pay-TV systems,” IEEE Trans. Multimedia, vol. 6, no. 5, pp. 760–769, Oct. 2004. [13] IP Datacast over DVB-H: Service Purchase and Protection (SPP), DVB Standard, 2005. [14] Z. Jia, Y. Zhang, H. Shao, Y. Lin, and J. Wang, “A remote user authentication scheme using bilinear pairings and ECC,” in Proc. 6th Int. Conf. Intelligent Systems Design and Applications (ISDA ’06), Oct. 2006, vol. 2, pp. 1091–1094. [15] A. Joux, “A one round protocol for tripartite Diffie-Hellman,” in Proc. Algorithmic Number Theory Symp. (ANTS IV), 2000, vol. 1838, Lecture Notes in Computer Science, pp. 385–394. [16] K. Lauter, “The advantages of elliptic curve cryptography for wireless security,” IEEE Wireless Commun., vol. 11, no. 1, pp. 62–67, Feb. 2004. [17] N. Lee, C. Chang, C. Lin, and T. Hwang, “Privacy and non-repudiation on pay-TV systems,” IEEE Trans. Consum. Electron., vol. 46, no. 1, pp. 20–27, Feb. 2000. [18] J. Liu, C. Yang, and J. Tian, “A novel conditional access architecture for TV service protection,” in Proc. Int. Conf. Computational Intelligence and Security Workshops (CISW 2007), Dec. 2007, pp. 608–611. [19] B. M. Macq and J. Quisquater, “Cryptology for digital TV broadcasting,” Proc. IEEE, vol. 83, no. 6, pp. 944–957, Jun. 1995. [20] A. Menezes, Elliptic Curve Public Key Cryptosystems. Norwell, MA: Kluwer, 1993. [21] A. J. Menezes, T. Okamoto, and S. A. Vanstone, “Reducing elliptic curve logarithms to a finite filed,” IEEE Trans. Inf. Theory, vol. 39, no. 5, pp. 1636–1646, Sep. 1993.

959

[22] J. Moon, J. Park, and E. Paik, “JavaCard-based two-level user key management for IP conditional access systems,” in Proc. 15th IEEE Int. Conf. Networks (ICON 2007), Nov. 2007, pp. 72–76. [23] V. Ollikainen and C. Peng, “A handover approach to DVB-H services,” in Proc. IEEE Int. Conf. Multimedia and Expo, Jul. 2006, pp. 629–632. [24] G. Seroussi, “Elliptic curve cryptography,” in Proc. Information Theory and Networking Workshop, 1999, p. 41. [25] N. P. Smart, “Identity-based authenticated key agreement protocol based on Weil pairing,” Electron. Lett., vol. 38, no. 13, pp. 630–632, Jun. 2002. [26] M. Scott, N. Costigan, and W. Abdulwahab, Implementing Cryptographic Pairings on Smartcards, Cryptology ePrint Archive, 2006, Rep. 2006/144. [27] A. Shamir, “Identity-based cryptosystem and signature scheme,” in Proc. Crypto-84, Santa Barbara, CA, 1984, pp. 47–53. [28] R. Song and L. Korba, “Pay-TV system with strong privacy and nonrepudiation protection,” IEEE Trans. Consum. Electron., vol. 49, no. 2, pp. 408–413, May 2003. [29] W. Stallings, Cryptography and Network Security. Englewood Cliffs, NJ: Prentice-Hall, 2003. [30] D. R. Stinson, Cryptography Theory and Practice. London, U.K.: Chapman & Hall/CRC, 2006. [31] H. M. Sun, C. M. Chen, and C. Z. Shieh, “Flexible-pay-per-channel: A new model for content access control in pay-TV broadcasting systems,” IEEE Trans. Multimedia, vol. 10, no. 6, pp. 1109–1120, Oct. 2008. [32] Y. Tseng, M. Yang, and C. Chang, “A recursive frequency-splitting scheme for broadcasting hot videos in VOD service,” IEEE Trans. Commun., vol. 50, no. 8, pp. 1348–1355, Aug. 2002. [33] S. Y. Wang and C. S. Laih, “Efficient key distribution for access control in pay-TV systems,” IEEE Trans. Multimedia, vol. 10, no. 3, pp. 480–492, Apr. 2008. Hung-Min Sun received the B.S. degree in applied mathematics from National Chung-Hsing University in 1988, the M.S. degree in applied mathematics from National Cheng-Kung University in 1990, and the Ph.D. degree in computer science and information engineering from National Chiao-Tung University in 1995. He was an Associate Professor with the Department of Information Management, Chaoyang University of Technology, from 1995 to 1999; the Department of Computer Science and Information Engineering, National Cheng-Kung University, from 1999 to 2002; and the Department of Computer Science, National Tsing Hua University, from 2002 to 2008. Currently he is a Professor with the Department of Computer Science, National Tsing Hua University. He has published over 100 international journal and conference papers. His research interests include information security, cryptography, and network security. Dr. Sun was the program co-chair of 2001 National Information Security Conference and the program committee member of 1997 and 2005 Information Security Conference in Taiwan; 2000 Workshop on Internet and Distributed Systems; 2001-2002, 2005 Workshop on the 21st Century Digital Life and Internet Technologies; 1998-1999 2002-2008 National Conference on Information Security; ACISP’04; NCS’2001; ICS’2002; ITRE’2005; NCS’2007; ISC 2008 Special Session on AES Subcommittee; and SH 2008.

Muh-Chyi Leu received the B.S. degree in computer science from Tamkang University, Taipei County, Taiwan, in 1985 and the M.S. degree in computer science from National Chiao Tung University, Hsinchu, Taiwan, in 1993. He is currently pursuing the Ph.D. degree in computer science from National Tsing Hua University, Hsinchu. He is also currently a Senior Engineer with the Industrial Technology Research Institute (ITRI) in Hsinchu. He has joined the digital TV system project of ITRI to develop DRM and CA technologies. His current interests include network security, cryptography, and digital rights management.

Authorized licensed use limited to: Industrial Technology Research Institute. Downloaded on June 09,2010 at 07:58:40 UTC from IEEE Xplore. Restrictions apply.